b'                                                     u.s. OFFICE OF PERSONNEL MANAGEMENT\n                                                                OFFICE OF THE INSPECTOR GENERAL\n                                                                                 OFFICE OF AUDITS\n\n\n\n\n                                   Final Audit Report \n\n\nSubject:\n\n\n           AUDIT OF THE INFORMATION TECHNOLOGY SECURITY\n                           CONTROLS OF THE\n               U.S. OFFICE OF PERSONNEL MANAGEMENT\'S\n            AUDIT REPORT & RECEIVABLES TRACKING SYSTEM\n                                 FY 2012\n\n                                           Report No. 4A-OP-00-12-013\n\n\n                                          Date:                     July 16, 2012\n\n\n\n\n                                                          --CAUTION-\xc2\xad\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 t:.S.c. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG wcbpage. caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy_\n\x0c                                 UNITED STATES OFFICE OF PERSONNEL MANAGEMENT\n                                                                \\Vashington. DC 20415\n\n\n  Of1ice of the\nInspector Gcnl.\'xai\n\n                                                                 Audit Report\n\n                                        u.S. OFFICE OF PERSONNEL MANAGEMENT\n\n\n                             AUDIT OF THE INFORMATION TECHNOLOGY SECURITY \n\n                                             CONTROLS OF THE \n\n                                 U.S. OFFICE OF PERSONNEL MANAGEMENT\'S \n\n                              AUDIT REPORT & RECEIVABLES TRACKING SYSTEM \n\n                                                   FY2012 \n\n\n                                                             WASHINGTON, D.C. \n\n\n\n\n                                                   Report No. 4A-OP-OO-12-013\n\n\n                                                   Date:                      07/16/12\n\n\n\n\n                                                                                              Michael R. Esser\n                                                                                              Assistant Inspector General\n                                                                                                for Audits\n\n                                                                   --CAUTION-\xc2\xad\n         This audit report has heen distributed to Federal officials who are responsible for the administratioa of the audited program. This audit\n         report may contain proprietary data which is protected by Federal law (18 U.S,c. 1905). Therefore, while this audit report is available\n         under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\n         releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\n\n\n\n         www.opm.gov                                                                                                              www.usajobs.gov\n\x0c                                              .\n                            UNITED STATES OFFICE OF PERSONNEL MANAGEMENT\n                                                  Wa."hington, DC 20415\n\n\n   Office of the\nIn.,pcctor (jeneral\n\n                                             Executive Summary\n\n\n                                U.S. OFFICE OF PERSONNEL MANAGEMENT\n\n\n                        A UDIT OF THE INFORMATION TECHNOLOGY SECURITY \n\n                                          CONTROLS OF THE \n\n                             U.S. OFFICE OF PERSONNEL MANAGEMENT\'S \n\n                          AUDIT REPORT & RECEIVABLES TRACKING SYSTEM \n\n                                               FY2012 \n\n\n                                                W ASIDNGTON, D.C. \n\n\n\n\n\n                                        Report No. 4A-OP-OO-12-013\n\n\n                                        Date:              07/16/12\n\n         This final audit report discusses the results of our review of the information technology security \n\n         controls of the U.S. Office of Personnel Management\'s (OPM) Audit Report & Receivables \n\n         Tracking System (ARRTS). Our conclusions are detailed in the "Results" section of this report. \n\n\n         The Office of the Inspector General (OIG) reviewed the ARRTS security program and found that \n\n         ARRTS is inappropriately classified as a major application on the agency\'s system inventory. \n\n         We have recommended that ARRTS be reclassified as a minor application under OPM\'s Local \n\n         Area Network/Wide Area Network general support system. \n\n         Through the course of our review we determined that the following areas appeared to be in full \n\n         FISMA compliance: \n\n               \xe2\x80\xa2 \t A security certification and accreditation (C&A) of ARRTS was completed in February\n                   2010.\n               \xe2\x80\xa2 \t The OIG agrees with the security categorization of "low" for ARRTS.\n               \xe2\x80\xa2 \t The Information System Security Plan for ARR TS contains the critical elements required\n                   by National Institute of Standards and Technology Special Publication (NIST SP) 800\xc2\xad\n                   18.\n\n\n\n\n          www.opm.gov                                                                            www.usajobs.gov\n\x0c   \xe2\x80\xa2   A risk assessment was conducted for ARRTS as a part of its 2010 C&A that addresses all\n       the required elements outlined in relevant NIST guidance.\n   \xe2\x80\xa2   A Privacy Threshold Analysis was conducted for ARRTS determining that a Privacy\n       Impact Assessment was not required for this system.\n\nHowever, we noted the following opportunities for improvement in the ARRTS security\nprogram:\n   \xe2\x80\xa2   An independent security test and evaluation was completed for ARRTS as a part of the\n       system\xe2\x80\x99s C&A process; however, all security controls were not adequately tested.\n   \xe2\x80\xa2   The designated security officer for ARRTS did not conduct a self-assessment of the\n       system.\n   \xe2\x80\xa2   A contingency plan for ARRTS does not contain all elements required by NIST SP 800-\n       34 and has not been tested.\n   \xe2\x80\xa2   The ARRTS Plan of Action and Milestones contains security weaknesses that are\n       significantly overdue.\n   \xe2\x80\xa2   The OIG independently tested 37 of the NIST SP 800-53 controls for ARRTS and found\n       that many of these security controls were not in place during the fieldwork phase of the\n       audit. We found that the following security controls were not fully implemented for\n       ARRTS:\n       o AT-3 Security Training\n       o AU-2 Auditable Events\n       o AU-3 Content of Audit Records\n       o AU-6 Audit Review, Analysis, & Reporting\n       o AU-9 Protection of Audit Information\n       o AU-11 Audit Record Retention\n       o AU-12 Audit Generation\n       o IA-4 Identifier Management\n       o PS-4 Personnel Termination\n       o PS-5 Personnel Transfer\n       o PS-6 Access Agreements\n       o RA-5 Vulnerability Scanning\n       o CM-6 Configuration Settings\n\x0c                                                                 Contents\n                                                                                                                                               Page\n\nIntroduction ......................................................................................................................................1\nBackground ......................................................................................................................................1\nObjectives ........................................................................................................................................1\nScope and Methodology ..................................................................................................................2\nCompliance with Laws and Regulations..........................................................................................3\nResults ..............................................................................................................................................4\n   I.      Certification and Accreditation Statement\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...4\n   II.     FIPS 199 Analysis \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...4\n   III. Information System Security Plan \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...4\n   IV. Risk Assessment \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..5\n   V.      Independent Security Control Testing \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.5\n   VI. Security Control Self-Assessment \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...6\n   VII. Contingency Planning and Contingency Plan Testing\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.6\n   VIII.Privacy Impact Assessment \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.8\n   IX. Plan of Action and Milestones Process\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa68\n   X.      NIST SP 800-53 Evaluation .\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa69\n   XI. Classification of ARRTS as a Minor Application \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.16\nMajor Contributors to this Report ..................................................................................................18\n\nAppendix: The System Owners\xe2\x80\x99 March 21, 2012 response to the draft audit report, issued\n          February 24, 2012\n\x0c                                        Introduction\nOn December 17, 2002, President Bush signed into law the E-Government Act (P.L. 107\xe2\x80\x91347),\nwhich includes Title III, the Federal Information Security Management Act (FISMA). It requires\n(1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency\nreporting to the Office of Management and Budget (OMB) the results of IG evaluations for\nunclassified systems, and (4) an annual OMB report to Congress summarizing the material\nreceived from agencies. In accordance with FISMA, we audited the information technology (IT)\nsecurity controls related to the Office of Personnel Management\xe2\x80\x99s (OPM) Audit Report &\nReceivables Tracking System (ARRTS).\n\n                                        Background\nOwnership of ARRTS is shared between OPM\xe2\x80\x99s Office of the Inspector General (OIG), Office\nof the Chief Financial Officer (OCFO), and the Healthcare and Insurance Office (HIO). While\nthese three offices, (referred to as \xe2\x80\x9cthe Owners\xe2\x80\x9d) collectively own and use the system, ARRTS\nresides on OPM\xe2\x80\x99s Local Area Network / Wide Area Network (LAN/WAN) general support\nsystem and is supported by individuals within the Office of the Chief Information Officer\xe2\x80\x99s\n(OCIO) Benefit Systems Group. The purpose of the ARRTS application is to track audits, audit\nrecommendations, and receivables resulting from audits of OPM programs and contracts\npertaining to the Federal Employees Health Benefits Program and the Federal Employees\xe2\x80\x99 Group\nLife Insurance Program. ARRTS is comprised of three main modules: 1) the Audit Management\nModule (used by all three Owners of ARRTS), 2) the Financial Management Module (used by\nOCFO and HIO), and 3) the System Administration Module used only by the system\nadministrator and designated security professionals.\n\n                                         Objectives\nOur objective was to perform an evaluation of the security controls for ARRTS to ensure that the\nOwners of ARRTS have implemented IT security policies and procedures in accordance with\nstandards established by FISMA, the National Institute of Standards and Technology (NIST), the\nFederal Information System Controls Audit Manual (FISCAM) and OPM\xe2\x80\x99s OCIO.\n\nOPM\xe2\x80\x99s IT security policies require managers of all major information systems to complete a\nseries of steps to (1) certify that their system\xe2\x80\x99s information is adequately protected and (2)\nauthorize the system for operations. The audit objective was accomplished by reviewing the\ndegree to which a variety of security program elements have been implemented for ARRTS,\nincluding:\n\xe2\x80\xa2   Certification and Accreditation Statement;\n\xe2\x80\xa2   FIPS 199 Analysis;\n\xe2\x80\xa2   Information System Security Plan;\n\xe2\x80\xa2   Risk Assessment;\n\xe2\x80\xa2   Independent Security Control Testing;\n\xe2\x80\xa2   Security Control Self-Assessment;\n\xe2\x80\xa2   Contingency Planning and Contingency Plan Testing;\n\xe2\x80\xa2   Privacy Impact Assessment;\n\n                                                1\n\x0c\xe2\x80\xa2   Plan of Action and Milestones Process; and\n\xe2\x80\xa2   NIST Special Publication (NIST SP) 800-53 Security Controls.\n\n                                Scope and Methodology\nThis performance audit was conducted in accordance with Government Auditing Standards,\nissued by the Comptroller General of the United States. Accordingly, the audit included an\nevaluation of related policies and procedures, compliance tests, and other auditing procedures\nthat we considered necessary. The audit covered FISMA compliance efforts of the Owners of\nARRTS, including IT security controls in place as of January 2012.\n\nWe considered the ARRTS internal control structure in planning our audit procedures. These\nprocedures were mainly substantive in nature, although we did gain an understanding of\nmanagement procedures and controls to the extent necessary to achieve our audit objectives.\n\nTo accomplish our objective, we interviewed representatives of OPM\xe2\x80\x99s OIG, OCFO, HIO, and\nOCIO divisions and other individuals with security responsibilities for ARRTS. We reviewed\nrelevant OPM IT policies and procedures, federal laws, OMB policies and guidance, and NIST\nguidance. As appropriate, we conducted compliance tests to determine the extent to which\nestablished controls and procedures are functioning as required.\n\nDetails of the security controls protecting the confidentiality, integrity, and availability of\nARRTS are located in the \xe2\x80\x9cResults\xe2\x80\x9d section of this report. Since our audit would not necessarily\ndisclose all significant matters in the internal control structure, we do not express an opinion on\nthe ARRTS system of internal controls taken as a whole.\n\nThe criteria used in conducting this audit include:\n\xe2\x80\xa2   OPM Information Security and Privacy Policy Handbook;\n\xe2\x80\xa2   OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;\n\xe2\x80\xa2   E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security\n    Management Act of 2002;\n\xe2\x80\xa2   The Federal Information System Controls Audit Manual;\n\xe2\x80\xa2   NIST SP 800-12, An Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\n    Information Systems;\n\xe2\x80\xa2   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information\n    Systems to Security Categories;\n\xe2\x80\xa2   NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and\n    Capabilities;\n\n                                                 2\n\x0c\xe2\x80\xa2   Federal Information Processing Standards Publication (FIPS) 199, Standards for Security\n    Categorization of Federal Information and Information Systems; and\n\xe2\x80\xa2   Other criteria as appropriate.\n\nIn conducting the audit, we relied to varying degrees on computer-generated data. Due to time\nconstraints, we did not verify the reliability of the data generated by the various information\nsystems involved. However, nothing came to our attention during our audit testing utilizing the\ncomputer-generated data to cause us to doubt its reliability. We believe that the data was\nsufficient to achieve the audit objectives. Except as noted above, the audit was conducted in\naccordance with generally accepted government auditing standards issued by the Comptroller\nGeneral of the United States.\n\nThe audit was performed by the OPM Office of the Inspector General, as established by the\nInspector General Act of 1978, as amended. The audit was conducted from November 2011\nthrough January 2012 in OPM\xe2\x80\x99s Washington, D.C. office. This was our first audit of the security\ncontrols surrounding ARRTS.\n\n                    Compliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether the Owners\xe2\x80\x99 management of\nARRTS is consistent with applicable standards. Nothing came to our attention during this\nreview to indicate that the Owners of ARRTS are in violation of relevant laws and regulations.\n\n\n\n\n                                               3\n\x0c                                                 Results\n I. Certification and Accreditation Statement\n    A security certification and accreditation (C&A) of ARRTS was completed in February 2010.\n\n    OPM\xe2\x80\x99s Acting IT Security Officer (representing the OCIO) reviewed the ARRTS C&A package\n    and signed the system\xe2\x80\x99s certification package on February 18, 2010. The system\xe2\x80\x99s designated\n    accrediting authority, the Deputy Inspector General, signed the accreditation statement and\n    authorized the continued operation of the system on February 19, 2010.\n\n    NIST SP 800-37 \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information\n    Systems,\xe2\x80\x9d provides guidance to federal agencies in meeting security accreditation requirements.\n    Several elements of the ARRTS C&A package were not completed in full compliance with NIST\n    requirements, including: Independent Security Control Testing, Security Control Self\n    Assessment, Contingency Plan & Contingency Plan Testing, and Plan of Action and Milestones\n    Process. The specific problems we identified in each of these areas are detailed in the sections\n    below.\n\n    In addition, the certification and accreditation occurred several months past the 3 year timeline\n    required by NIST.\n\n    OPM\xe2\x80\x99s OCIO created and published guidance for preparing and conducting C&As in January\n    2011. These policies and procedures are now in effect for all OPM systems. However, the\n    ARRTS C&A was appropriately conducted in accordance with the guidance available in 2010.\n\nII. FIPS 199 Analysis\n    FIPS Publication 199, Standards for Security Categorization of Federal Information and\n    Information Systems, requires federal agencies to categorize all Federal information and\n    information systems in order to provide appropriate levels of information security according to a\n    range of risk levels.\n\n    NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information Systems\n    to Security Categories, provides an overview of the security objectives and impact levels\n    identified in FIPS Publication 199.\n\n    The ARRTS FIPS 199 categorizes information processed by the system and its corresponding\n    potential impacts on confidentiality, integrity, and availability. ARRTS is categorized with a low\n    impact level for confidentiality, integrity, and availability, resulting in an overall categorization\n    of low. The security categorization of ARRTS appears to be consistent with FIPS 199 and NIST\n    SP 800-60 requirements, and the OIG agrees with the categorization of low.\n\nIII. Information System Security Plan\n    Federal agencies must implement on each information system the security controls outlined in\n    NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems.\n\n\n                                                     4\n\x0c    NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information\n    Systems, requires that these controls be documented in an Information System Security Plan\n    (ISSP) for each system, and provides guidance for doing so.\n\n    The ISSP for ARRTS was created using a template that is outlined in NIST SP 800-18. The\n    ISSP contains the key elements outlined in the NIST guide.\n\nIV. Risk Assessment\n    A risk assessment is used as a tool to identify security threats, vulnerabilities, potential impacts,\n    and probability of occurrence. In addition, a risk assessment is used to evaluate the effectiveness\n    of security policies and recommend countermeasures to ensure adequate protection of\n    information technology resources.\n\n    NIST SP 800-30, Risk Management Guide for Information Technology Systems, offers a nine\n    step systematic approach to conducting a risk assessment that includes: (1) system\n    characterization; (2) threat identification; (3) vulnerability identification; (4) control analysis;\n    (5) likelihood determination; (6) impact analysis; (7) risk determination; (8) control\n    recommendation; and (9) results documentation.\n\n    A risk assessment was conducted for ARRTS as a part of the 2010 C&A. All major elements\n    outlined in the NIST guidance were addressed.\n\nV. Independent Security Control Testing\n    A security assessment was completed for ARRTS in December 2009 as a part of the system\xe2\x80\x99s\n    C&A process. The security assessment was conducted by another government agency, the\n    Bureau of Public Debt (BPD). We reviewed the controls within the scope of this test to ensure\n    that they included a review of the appropriate management, operational, and technical controls\n    required for a system with a \xe2\x80\x9clow\xe2\x80\x9d security categorization according to NIST SP 800-53,\n    Recommended Security Controls for Federal Information Systems. Our review determined that\n    the security controls of ARRTS have not been adequately tested.\n\n    The BPD only examined 28 of the over 100 controls applicable to a FIPS 199 \xe2\x80\x9clow\xe2\x80\x9d categorized\n    system. Eighty-eight controls were listed as not applicable to ARRTS. Of those 88, 82 were\n    listed as common controls inherited from either OPM or the LAN/WAN, 1 was listed as a hybrid\n    control and 5 were outright omitted from testing. However, OPM\xe2\x80\x99s common controls catalog\n    only identifies 24 controls that can be inherited by other systems, and therefore it is not possible\n    for ARRTS to inherit 82 controls. Furthermore, our testing during this audit revealed that at least\n    11 of the security controls BPD listed as \xe2\x80\x9cnot applicable\xe2\x80\x9d were not fully implemented for\n    ARRTS (see section X, below, for details).\n\n    FISMA requires that all NIST SP 800-53 controls applicable to the system be tested every three\n    years by an independent source. Inappropriately omitting controls from security control testing\n    increases the risk that security weaknesses remain undetected.\n\n\n\n\n                                                       5\n\x0c     Recommendation 1\n     We recommend that an independent test of the system\xe2\x80\x99s security controls be conducted for\n     ARRTS that fully tests all controls applicable to a FIPS 199 \xe2\x80\x9clow\xe2\x80\x9d system as mandated by NIST\n     SP 800-53.\n\n     System Owners\xe2\x80\x99 Response:\n     \xe2\x80\x9cWe concur with the recommendation and ARRTS is expected to transition to the OPM OCIO\n     to be placed under the LAN/WAN GSS. Preparations are being made between the OCIO and\n     the Office of the Inspector General (OIG) to conduct a thorough test of security controls.\xe2\x80\x9d\n\n     OIG Reply:\n     As part of the audit resolution process, for all recommendations where the System Owners are in\n     agreement with our recommendation, we recommend that the System Owners provide Internal\n     Oversight and Compliance (IOC) with evidence supporting the remediation of the\n     recommendation.\n\nVI. Security Control Self-Assessment\n     FISMA requires that the IT security controls of each major application owned by a federal\n     agency be tested on an annual basis. In the years that an independent security assessment is not\n     being conducted on a system, the system\xe2\x80\x99s owner must conduct an internal self-assessment of\n     security controls. Furthermore, NIST SP 800-53 mandates the development of a security\n     assessment plan and outlines the required inclusions.\n\n     The DSO of ARRTS did not conduct a self-assessment of the system in 2011.\n\n     Failure to complete a security controls test increases the risk that IT security weaknesses are\n     undetected and that the Owners of ARRTS are unable to make informed judgments to\n     appropriately mitigate risks to an acceptable level.\n\n     Recommendation 2\n     We recommend that the Owners of ARRTS ensure that the annual test of security controls is\n     completed for ARRTS.\n\n     System Owners\xe2\x80\x99 Response:\n     \xe2\x80\x9cWe concur with the recommendation. Preparations are being made to conduct an internal\n     self-assessment of security controls and plans will be put in place to ensure this occurs on an\n     annual basis.\xe2\x80\x9d\n\nVII. Contingency Planning and Contingency Plan Testing\n     NIST SP 800-34, Contingency Planning Guide for IT Systems, states that effective contingency\n     planning, execution, and testing are essential to mitigate the risk of system and service\n\n\n\n\n                                                      6\n\x0cunavailability. OPM\xe2\x80\x99s security policies require all major applications to have viable and logical\ndisaster recovery and contingency plans, and that these plans be annually reviewed, tested, and\nupdated.\n\nContingency Plan\nThe ARRTS contingency plan documents the functions, operations, and resources necessary to\nrestore and resume ARRTS operations when unexpected events or disasters occur. The ARRTS\ncontingency plan generally follows the format suggested by NIST SP 800-34 and contains a\nmajority of the suggested elements.\n\nHowever, there are several areas for improvement within the contingency plan. The contingency\nplan had inconsistencies with regard to back-up procedures, did not have complete contact\ninformation for critical individuals, and contained a significantly outdated Memorandum of\nUnderstanding. Furthermore, the Owners of ARRTS did not review the contingency plan in\n2011.\n\nFailure to maintain a thorough contingency plan decreases the likelihood that the system can\nremain operable should unexpected events or disasters occur.\n\nRecommendation 3\nWe recommend that the Owners of ARRTS revise the system\xe2\x80\x99s contingency plan to ensure it\nencompasses all requirements outlined in NIST SP 800-34.\n\nSystem Owners\xe2\x80\x99 Response:\n\xe2\x80\x9cWe concur with the recommendation and the ARRTS Contingency Plan is being rewritten\ninto the updated template provided by the OCIO. The primary Contingency Plan will be the\nplan for the LAN/WAN GSS and the Contingency Plan for ARRTS will address contacts and\nactions that will be needed specifically for ARRTS in the event of a situation.\xe2\x80\x9d\n\nRecommendation 4\nWe recommend that the Owners of ARRTS implement a process for annually reviewing the\ncontingency plan.\n\nSystem Owners\xe2\x80\x99 Response:\n\xe2\x80\x9cWe concur with the recommendation and will implement a plan to annually review the\nARRTS contingency plan. A plan is currently underway to conduct a table top exercise\ndesigned to review and test the Contingency Plan.\xe2\x80\x9d\n\nContingency Plan Test\nNIST SP 800-34, Contingency Planning Guide for Information Technology, provides guidance\nfor testing contingency plans and documenting the results. In addition, NIST SP 800-53 Control\nCP-3 requires system owners to train \xe2\x80\x9cpersonnel in their contingency roles and responsibilities to\nthe information system and provide refresher training.\xe2\x80\x9d\n\n\n                                                7\n\x0c      The Owners of ARRTS did not conduct a test of the system\xe2\x80\x99s contingency plan in 2011.\n\n      Contingency plan testing is a critical element of a viable disaster recovery capability. Failure to\n      routinely test the contingency plan decreases the likelihood that the system can remain operable\n      should unexpected events or disasters occur.\n\n      Recommendation 5\n      We recommend that the Owners of ARRTS test the system\xe2\x80\x99s contingency plan on an annual\n      basis.\n\n      System Owners\xe2\x80\x99 Response:\n      \xe2\x80\x9cWe concur with the recommendation and the OCIO and the three ARRTS stakeholders will\n      conduct an annual test of the ARRTS Contingency Plan.\xe2\x80\x9d\n\nVIII. Privacy Impact Assessment\n      FISMA requires agencies to perform a screening of federal information systems to determine if a\n      Privacy Impact Assessment (PIA) is required for that system. OMB Memorandum M-03-22\n      outlines the necessary components of a PIA. The purpose of the assessment is to evaluate any\n      vulnerabilities of privacy in information systems and to document any privacy issues that have\n      been identified and addressed. The OPM Privacy Impact Assessment Guide states that \xe2\x80\x9cAll\n      OPM IT systems must have a PTA. If the PTA reveals that the system collects no information in\n      identifiable form, for example, the Privacy Program Manager will indicate in the PTA review\n      that no PIA is required. The PTA must be incorporated into the system\xe2\x80\x99s certification and\n      accreditation (C&A) package.\xe2\x80\x9d\n\n      The Owners of ARRTS completed a Privacy Threshold Analysis (PTA) of ARRTS and\n      determined that a PIA was not required for this system because it does not contain Personally\n      Identifiable Information (PII). The OIG agrees with this conclusion.\n\n IX. Plan of Action and Milestones Process\n      A Plan of Action and Milestones (POA&M) is a tool, mandated by NIST SP 800-53 Control CA-\n      5, used to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of\n      corrective efforts for IT security weaknesses. OPM has implemented an agency-wide POA&M\n      process to help track known IT security weaknesses associated with the agency\xe2\x80\x99s information\n      systems.\n\n      The OIG evaluated the ARRTS POA&M and verified that it follows the format of OPM\xe2\x80\x99s\n      standard template, and has been routinely submitted to OCIO for evaluation. We also\n      determined that the POA&M contained entries for all security weaknesses identified through\n      various security control tests and audits. However, the Owners of ARRTS are not utilizing the\n      POA&M process effectively. The ARRTS POA&M contained 10 security weaknesses, the\n      majority of which have remediation activities in excess of 400 days overdue. In addition, the\n      ARRTS POA&M does not contain the specific recommended corrective action, or provide detail\n      to specific milestones or action items required to address the weakness. Each POA&M item\n      typical only states that a solution will be discussed, documented, and implemented.\n\n                                                       8\n\x0c   Failure to use the POA&M processes to address known security weaknesses in a timely manner\n   increases the risk that someone could gain unauthorized access to the system or the data it\n   contains.\n\n   Recommendation 6\n   We recommend that the Owners of ARRTS revise the POA&M items currently listed to include\n   the recommended corrections, milestones, and action items, rather than just identifying the\n   weaknesses.\n\n   System Owners\xe2\x80\x99 Response:\n   \xe2\x80\x9cWe concur with the recommendation and will implement the changes to the current POA&M\n   items. As soon as ARRTS is transitioned to the OCIO, the ARRTS stakeholders will\n   coordinate with the OCIO for remediation of the existing POA&Ms, tracking their progress,\n   and adding new vulnerabilities as they are identified.\xe2\x80\x9d\n\n   Recommendation 7\n   We recommend that the Owners of ARRTS develop a plan for the immediate remediation of all\n   overdue POA&M items.\n\n   System Owners\xe2\x80\x99 Response:\n   \xe2\x80\x9cWe concur with the recommendation and will review the current POA&M items. As ARRTS\n   is transitioned to the OCIO, the stakeholders will coordinate with the OCIO for the\n   remediation of the existing POA&Ms.\xe2\x80\x9d\n\nX. NIST SP 800-53 Evaluation\n   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems,\n   provides guidance for implementing a variety of security controls for information systems\n   supporting the federal government. As part of this audit, we evaluated whether a subset of these\n   controls had been implemented for ARRTS. We tested 37 of the approximately 100 security\n   controls outlined in NIST SP 800-53 Revision 3 that are applicable to a FIPS 199 \xe2\x80\x9clow\xe2\x80\x9d\n   categorized system. We tested the following controls:\n   \xe2\x80\xa2   Access Control: AC-14, AC-17, AC-18,        \xe2\x80\xa2   Identification and Authentication: IA-4\n       AC-19, AC-20, & AC-22                           & IA-8\n   \xe2\x80\xa2   Awareness and Training: AT-3                \xe2\x80\xa2   Maintenance MA-4 & MA-5\n   \xe2\x80\xa2   Audit and Accountability: AU-2, AU-3,       \xe2\x80\xa2   Personnel Security: PS-2, PS-4, PS-5,\n       AU-6, AU-9, AU-11, & AU-12                      PS-6, & PS-7\n   \xe2\x80\xa2   Security Assessment and Authorization:      \xe2\x80\xa2   Risk Assessment: RA-5\n       CA-2, CA-3, CA-5, & CA-6\n   \xe2\x80\xa2   Configuration Management: CM-2, CM-         \xe2\x80\xa2   System and Services Acquisition: SA-9\n       6, & CM-7\n   \xe2\x80\xa2   Contingency Planning: CP-2, CP-3, CP-       \xe2\x80\xa2   System and Communication Protection:\n       9, & CP-10                                      SC-14 & SC-15\n\n\n\n                                                  9\n\x0cThese controls were evaluated by interviewing individuals with ARRTS security responsibilities,\nreviewing documentation and system screenshots, viewing demonstrations of system\ncapabilities, and conducting tests directly on the system.\n\nThrough our testing we determined that many of the NIST SP 800-53 security controls\napplicable to ARRTS have not been successfully implemented.\n\na) AT-3 Security Training\n   Not all individuals with significant IT responsibility for ARRTS have been identified by the\n   Owners of the system. As a result, OPM\xe2\x80\x99s IT Security and Privacy Group (ITSPG) is unable\n   to track training completed by individuals with IT responsibility, as required by FISMA.\n\n   NIST SP 800-53 control AT-3 mandates that \xe2\x80\x9cThe organization provides role-based security-\n   related training: (1) before authorizing access to the system or performing assigned duties;\n   (ii) when required by system changes; and (iii) [annually, as designated by OPM policy]\n   thereafter.\xe2\x80\x9d\n\n   Failure to properly document and report security training to the ITSPG increases the\n   likelihood that individuals with significant IT responsibilities for ARRTS do not receive the\n   appropriate annual training for their position.\n\n   Recommendation 8\n   We recommend that the Owners of ARRTS identify the individuals with significant IT\n   responsibility for ARRTS that require specialized IT security training.\n\n   System Owners\xe2\x80\x99 Response:\n   \xe2\x80\x9cWe concur with the recommendation and a list of individuals from the OIG that have\n   significant IT responsibility for ARRTS will be compiled and those names will be supplied\n   to the OCIO to ensure that these individuals receive specialized IT security training\n   annually.\xe2\x80\x9d\n\n   Recommendation 9\n   We recommend that the Owners of ARRTS ensure that all employees with significant\n   information security responsibility for ARRTS take meaningful and appropriate specialized\n   security training on an annual basis.\n\n   System Owners\xe2\x80\x99 Response:\n   \xe2\x80\x9cWe concur with the recommendation and the OIG will add a POA&M to the OIG LAN\n   POA&Ms that requires the tracking of the annual security training for all staff that has\n   significant IT responsibilities. A report pertaining to the staff training will be provided to\n   the OCIO.\xe2\x80\x9d\n\n\n\n\n                                               10\n\x0cb) AU-2 Auditable Events, AU-3 Content of Audit Records, AU-6 Audit Review, Analysis\n   & Reporting, AU-9 Protection of Audit Information, AU-11 Audit Record Retention, &\n   AU-12 Audit Generation\n   The management of audit logs for ARRTS could be improved.\n\n   Database level auditing is not currently enabled for ARRTS. Oracle10 has the capability to\n   perform audit functions. However, a list of auditable events has not been developed by the\n   system\xe2\x80\x99s Owners. ARRTS uses a single Oracle account to access the database, and therefore\n   the database logs cannot distinguish the transactions conducted by various User IDs. This\n   fact should be taken into consideration when determining the events to log, but should not be\n   justification against auditing database changes. Furthermore, auditing should still be\n   implemented at the application level. Transaction level detail should be logged, protected\n   from alteration, and routinely reviewed by the Owners of ARRTS.\n\n   Failure to routinely log and review user activity increases the risk that fraudulent or\n   malicious activity can occur undetected.\n\n   Recommendation 10\n   We recommend that the Owners of ARRTS develop an audit policy that contains a list of\n   events that should be logged for ARRTS at the database and application levels.\n\n   System Owners\xe2\x80\x99 Response:\n   \xe2\x80\x9cWe concur with the recommendation and the OCIO and the three stakeholders will\n   develop an audit policy that contains a list of events that should be logged.\xe2\x80\x9d\n\n   Recommendation 11\n   We recommend that the ARRTS system be modified to generate audit logs in accordance\n   with audit policy and in compliance with all applicable NIST SP 800-53 standards.\n\n   System Owners\xe2\x80\x99 Response:\n   \xe2\x80\x9cWe concur with the recommendation and ARRTS will be evaluated for the feasibility of\n   implementing system modifications to generate audit logs that are in compliance with\n   NIST SP 800-53 standards.\xe2\x80\x9d\n\n   Recommendation 12\n   We recommend that ARRTS be modified to ensure all audit logs cannot be inappropriately\n   accessed, modified, or deleted.\n\n   System Owners\xe2\x80\x99 Response:\n   \xe2\x80\x9cWe concur with the recommendation and ARRTS will be evaluated for the feasibility of\n   system modifications to ensure that audit logs cannot be inappropriately accessed,\n   modified, or deleted.\xe2\x80\x9d\n\n\n\n                                                11\n\x0c   Recommendation 13\n   We recommend that the Owners of ARRTS routinely monitor/review audit logs generated by\n   ARRTS.\n\n   System Owners\xe2\x80\x99 Response:\n   \xe2\x80\x9cWe concur with the recommendation and procedures will be put in place to ensure that\n   ARRTS audit logs are routinely monitored and reviewed.\xe2\x80\x9d\n\nc) IA-4 Identifier Management\n   There are individuals that have multiple user accounts for ARRTS.\n\n   NIST SP 800-53 requires that System Owners manage \xe2\x80\x9cinformation system identifiers for\n   users by: \xe2\x80\xa6 Selecting an identifier that uniquely identifies an individual\xe2\x80\xa6 [and] preventing\n   reuse of user . . . identifiers . . . .\xe2\x80\x9d\n\n   Assigning multiple accounts to one user increases the risk that individuals can gain\n   unauthorized access to ARRTS data.\n\n   Recommendation 14\n   We recommend that the Owners of ARRTS disable/delete unnecessary duplicate ARRTS\n   user accounts.\n\n   System Owners\xe2\x80\x99 Response:\n   \xe2\x80\x9cWe concur with the recommendation however, the ARRTS database design requires that\n   the user ID that the record was stored under be present; removing or disabling any user ID\n   makes any records that are associated with that user ID irretrievable. Access to the\n   ARRTS system requires that a user first log into the OPM LAN with a valid user ID and\n   password. If an OPM staff member is terminated, retires, or leaves the agency they no\n   longer have access to the OPM LAN and as a result they can no longer access the ARRTS\n   application. If the employee changes jobs within OPM and no longer requires access to\n   ARRTS, documented procedures will be in place to ensure that the ARRTS application is\n   removed from that individual\xe2\x80\x99s computer. While there may be a low level risk still\n   associated with outdated user IDs remaining active in ARRTS, we believe the level of risk\n   is extremely low. This matter will require a Business Case Exception to be developed and\n   approved to accept this risk.\xe2\x80\x9d\n\n   OIG Reply:\n   OPM\xe2\x80\x99s Information Security and Privacy Policy Handbook states that \xe2\x80\x9cThe information\n   system shall uniquely identify and authenticate organizational users\xe2\x80\x9d and requires that\n   \xe2\x80\x9cInformation system identifiers for users and devices . . . be managed by: . . . Preventing\n   reuse of user or device identifiers permanently.\xe2\x80\x9d\n\n\n\n\n                                               12\n\x0c   Proper maintenance of user accounts is an important security control, and accepting the risk\n   of maintaining duplicate user accounts is not appropriate in this case. We recommend that a\n   system modification be made to facilitate the prompt removal of duplicate users\xe2\x80\x99 system\n   level access to ARRTS.\n\n   Recommendation 15\n   We recommend that the Owners of ARRTS implement a process to routinely audit all active\n   user accounts to ensure that no unnecessary duplicate accounts exist.\n\n   System Owners\xe2\x80\x99 Response:\n   \xe2\x80\x9cWe concur with the recommendation and will implement a process to routinely review all\n   active user accounts in ARRTS however, the ARRTS database design requires that the\n   user ID that the record was stored under be present; removing or disabling any user ID\n   makes any records that are associated with that user ID irretrievable. . . .\xe2\x80\x9d\n\n   OIG Reply:\n   As stated above, it is not appropriate to accept the risks associated with the inability to\n   appropriately manage user accounts. We recommend that a system modification be made to\n   facilitate the prompt removal of duplicate users\xe2\x80\x99 system level access to ARRTS and that an\n   audit process be implemented to ensure duplicate accounts do not exist.\n\nd) PS-4 Personnel Termination\n   User IDs are never removed or disabled from ARRTS, and IDs for a significant number of\n   individuals remain active after the individuals\xe2\x80\x99 employment was terminated. Disabling\n   ARRTS application accounts after a user is terminated provides an extra layer of control to\n   ensure that unauthorized users cannot access the system.\n\n   NIST SP 800-53 requires System Owners to ensure that \xe2\x80\x9cupon termination of individual\n   employment: . . .Terminate information system access.\xe2\x80\x9d\n\n   Recommendation 16\n   We recommend that the Owners of ARRTS disable active user accounts that belong to\n   terminated employees.\n\n   System Owners\xe2\x80\x99 Response:\n   \xe2\x80\x9cWe concur with the recommendation however, the ARRTS database design requires that\n   the user ID that the record was stored under be present; removing or disabling any user ID\n   makes any records that are associated with that user ID irretrievable. . . .\xe2\x80\x9d\n\n   OIG Reply:\n   Access to ARRTS is not restricted by terminal or synced with the user\xe2\x80\x99s LAN account, thus\n   removing the ARRTS application from the individual\xe2\x80\x99s computer and disabling a LAN\n   account does not prevent an individual from using that user ID and password to gain access\n\n                                              13\n\x0c   to ARRTS from any other terminal where the application is loaded. Therefore, accepting the\n   risk of maintaining user accounts after termination is not an appropriate course of action. We\n   recommend that a system modification be made to facilitate the prompt removal of\n   terminated users\xe2\x80\x99 system level access to ARRTS.\n\n   Recommendation 17\n   We recommend that the Owners of ARRTS periodically audit active ARRTS user accounts\n   to verify that accounts do not remain open for individuals no longer employed at OPM and\n   that the level of access granted remains appropriate.\n\n   System Owners\xe2\x80\x99 Response:\n   \xe2\x80\x9cWe concur with the recommendation and will implement procedures requiring periodic\n   audits of active ARRTS user accounts however, the ARRTS database design requires that\n   the user ID that the record was stored under be present; removing or disabling any user ID\n   makes any records that are associated with that user ID irretrievable. . . .\xe2\x80\x9d\n\n   OIG Reply:\n   As mentioned above, it is not appropriate to accept the risk associated with ARRTS inability\n   to disable or remove user accounts. We continue to recommend that a system modification\n   be made to ARRTS that enables the system owners to promptly disable active user accounts\n   that belong to terminated employees.\n\ne) PS-5 Personnel Transfer\n   There are a substantial number of individuals with active user IDs that do not currently have\n   a business reason to have access to ARRTS.\n\n   NIST SP 800-53 requires the System Owners to review \xe2\x80\x9clogical and physical access\n   authorizations to information systems/facilities when personnel are reassigned or transferred\n   to other positions within the organization . . . .\xe2\x80\x9d\n\n   Maintaining active user IDs for individuals who do not have a business reason to have access\n   to ARRTS increases the risk that individuals can inappropriately access ARRTS data.\n\n   Recommendation 18\n   We recommend that the Owners of ARRTS disable/delete unnecessary user IDs for users\n   who no longer have a business reason to have access to ARRTS.\n\n   System Owners\xe2\x80\x99 Response:\n   \xe2\x80\x9cWe concur with the recommendation however, the ARRTS database design requires that\n   the user ID that the record was stored under be present; removing or disabling any user ID\n   makes any records that are associated with that user ID irretrievable. . . .\xe2\x80\x9d\n\n\n\n\n                                               14\n\x0c   OIG Reply:\n   As mentioned above, it is not appropriate to accept the risk associated with ARRTS inability\n   to disable or remove user accounts. We continue to recommend that a system modification\n   be made to ARRTS that enables the system owners to promptly disable active user accounts\n   that belong to terminated employees.\n\nf) PS-6 Access Agreements\n   ARRTS users are not required to sign a rules of behavior document.\n\n   NIST SP 800-53 requires the System Owners to ensure \xe2\x80\x9cthat individuals requiring access to\n   organizational information and information systems sign appropriate access agreements prior\n   to being granted access.\xe2\x80\x9d\n\n   Failure to require users to sign access agreements increases the likelihood that users will\n   inappropriately access or manipulate information within ARRTS.\n\n   Recommendation 19\n   We recommend that the Owners of ARRTS develop a Rules of Behavior/Acceptable Use\n   Statement for ARRTS and ensure it is signed by all users.\n\n   System Owners\xe2\x80\x99 Response:\n   \xe2\x80\x9cWe concur with the recommendation and the OIG will implement a Rules of\n   Behavior/Acceptable Use document specifically for ARRTS to be signed by all current and\n   future ARRTS users.\xe2\x80\x9d\n\ng) RA-5 Vulnerability Scanning\n   Vulnerability scanning is not conducted for ARRTS.\n\n   NIST SP 800-53 mandates that vulnerability scanning is conducted, vulnerability scan\n   reports be analyzed, and that legitimate vulnerabilities be remediated.\n\n   Not conducting vulnerability scans increases the likelihood that vulnerabilities within the\n   system go undetected and that system weaknesses could be exploited.\n\n   Recommendation 20\n   We recommend that the Owners of ARRTS ensure that routine vulnerability scans are\n   conducted on the system.\n\n   System Owners\xe2\x80\x99 Response:\n   \xe2\x80\x9cWe concur with the recommendation and as soon as ARRTS is transitioned to the\n   OCIO\xe2\x80\x99s LAN/WAN GSS, the OCIO plans to do routine vulnerability scans.\xe2\x80\x9d\n\n\n\n\n                                                15\n\x0c    h) CM-6 Configuration Settings\n       The OIG conducted vulnerability scans of the database and server supporting ARRTS using\n       AppDetective Pro and Nessus scanning tools. Although the technical details of these settings\n       will not be included in this report, the Owners of ARRTS and the administrators responsible\n       for this database and server have been provided with this information.\n\n       The vulnerability scans revealed that both the database and server contain settings configured\n       in a manner not fully compliant with OPM\xe2\x80\x99s configuration policies.\n\n       NIST SP 800-53 requires that the Owners of ARRTS ensure that the system is configured\n       such that it \xe2\x80\x9creflects the most restrictive mode consistent with operational requirements\xe2\x80\x9d and\n       contains \xe2\x80\x9cconfiguration settings in accordance with organizational policies and procedures.\xe2\x80\x9d\n\n       Maintaining configurations outside of OPM policies greatly increases the likelihood that the\n       configuration weaknesses could be exploited to gain unauthorized access to the system.\n\n       Recommendation 21\n       We recommend that the database supporting ARRTS be configured in a manner that is\n       compliant with OPM\xe2\x80\x99s policies.\n\n       System Owners\xe2\x80\x99 Response:\n       \xe2\x80\x9cWe concur with the recommendation and will coordinate with the OCIO to ensure that\n       the database and server is configured in a manner that is compliant with OPM\xe2\x80\x99s policies.\xe2\x80\x9d\n\n       Recommendation 22\n       We recommend that the server supporting ARRTS be configured in a manner that is\n       compliant with OPM\xe2\x80\x99s policies.\n\n       System Owners\xe2\x80\x99 Response:\n       \xe2\x80\x9cWe concur with the recommendation [and] will coordinate with the OCIO to ensure that\n       ARRTS is compliant with OPM policies.\xe2\x80\x9d\n\nXI. Classification of ARRTS as a Minor Application\n    ARRTS is currently classified as a \xe2\x80\x9cmajor application\xe2\x80\x9d and is included on OPM\xe2\x80\x99s master\n    inventory of major systems. However, as mentioned in section II, above, ARRTS is designated\n    with a FIPS 199 \xe2\x80\x9clow\xe2\x80\x9d security categorization. NIST SP 800-18 states that \xe2\x80\x9cA major application\n    is expected to have a FIPS 199 impact level of moderate or high.\xe2\x80\x9d Therefore, an application with\n    a \xe2\x80\x9clow\xe2\x80\x9d categorization such as ARRTS should not be included as a major application on the agency\xe2\x80\x99s\n    system inventory.\n\n    OPM\xe2\x80\x99s LAN/WAN general support system (owned and operated by the OCIO) currently\n    supports a variety of minor applications. Considering the OCIO currently provides technical\n    support for ARRTS and the system already resides within the boundaries of the LAN/WAN, we\n    believe that ARRTS should be reclassified as a minor application within the LAN/WAN.\n\n                                                   16\n\x0cAs part of the reclassification process, the OCIO should update the LAN/WAN ISSP to include\nARRTS as a minor application and to document the security controls that ARRTS inherits from\nthe general support system.\n\nAlthough transitioning ARRTS to a minor application would alleviate some of the C&A related\nrequirements that major systems are subject to, it does not absolve the Owners of the system\nfrom ensuring the remediation of the extensive security weaknesses identified in prior security\nassessments and this audit report.\n\nRecommendation 23\nWe recommend that the Owners of ARRTS work with the OCIO to reclassify ARRTS as a minor\napplication within the LAN/WAN general support system.\n\nSystem Owners\xe2\x80\x99 Response:\n\xe2\x80\x9cWe concur with the recommendation and a Memorandum of Understanding is being\ndeveloped in anticipation of the downgrade of ARRTS to a minor application system and the\ntransition of ARRTS to the OPM LAN/WAN GSS.\xe2\x80\x9d\n\nRecommendation 24\nWe recommend that the OCIO update the LAN/WAN ISSP to reflect ARRTS as a minor\napplication.\n\nSystem Owners\xe2\x80\x99 Response:\n\xe2\x80\x9cWe concur with the recommendation and we are currently working with the OCIO to\ndowngrade ARRTS to a minor application. We will work closely with the OCIO to ensure that\nthe LAN/WAN ISSP is updated to reflect ARRTS as a minor application.\xe2\x80\x9d\n\n\n\n\n                                               17\n\x0c                          Major Contributors to this Report\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\xe2\x80\xa2                  , Group Chief\n\xe2\x80\xa2                    , Senior Team Leader\n\xe2\x80\xa2               , Auditor-in-Charge\n\n\n\n\n                                              18\n\x0c                                                     Appendix\n                           UNITED STATES OFFICE OF PERSONNEL MANAGE:-"IENT \n\n                                                 WClsh iJlgt<lll. I>C 20..t 15 \n\n\n\n    O rhc\'c of the\nhl\', pcc tnf Ge nna l\n                                                   March 21, 2012\n\n\n\n\n         MEMORANDUM\n                                         iIii\'OITllaiIOii SvstelffisAudit Group\n         FROM:                    NORBERT E. VINT\n                                  Deputy Inspector Geng"r:)\n\n         SUBJECT: \t               Audit of the Infonnation Technology Security Controls of the U.S.\n                                  Office of Personnel Management\' s Audit Report & Receivables\n                                  Tracking System (Report No. 4A-Ol\'-00-12-013)\n\n         Thank you for providing us with a copy of the draft audit repon detailing the results of our fiscal\n         year 2012 audit of the U.S. Office of Personnel Management\'s (OPM) Audit Report &\n         Receivables Tracking System (ARRTS) compliance with the Federallnrorrnation Security\n         Management Act (FISMA), as well as OPM\'s information technology policies and procedures.\n\n         The Ofiice of the Inspector General has been coordinating with the Office of the Chief\n         lnfonnation Officer (OCIO) to downgrade ARRTS to a minor application system supported by\n         the OPM Local Area N etworkiWide Area Network General Support System (LANIW AN GSS).\n         Our audit responses reflect the likelihood that the ARRTS downgrade will occur in the very near\n         future and that a Memorandum of Understanding will be in place to govern the relationship\n         between the ARRTS stakeholders and the OCIO.\n\n         Our comments in response to the audit recommendations are contained below. These responses\n         have been coordinated with the ARRTS stakeholders.\n\n         Independent Security Control Testing\n\n         Recommendation 1\n         We recommend that an indepe ndent test of the system \'s security controls be conducted for\n         ARRTS that fully tests all controls applicable to a FIPS 199 "low" system as mandated by NIST\n         800-53.\n\n         Rcsponse 1\n         We concur with the recommendation and ARRTS is expected to transition to the OPM OCIO to\n         be placed under the LAN/W AN GSS. Preparations are being made between the OCIO and the\n         Office of the Inspector Genera l (OIG) to conduct a thorough test of security controls.\n\x0cSecurity Control Self-Assessment\n\nRecommendation 2\nWe recommend that the Owners of ARRTS ensure that the annual test of security controls is\ncompleted for ARRTS.\n\nResponse 2\nWe concur with the recommendation. Preparations are being made to conduct an internal self-\nassessment of security controls and plans will be put in place to ensure this occurs on an annual\nbasis.\n\nContingency Plan\n\nRecommendation 3\nWe recommend that the Owners of ARRTS revise the Contingency Plan to ensure it\nencompasses all requirements outlined in NIST 800-53 CP-2 Contingency Plan.\n\nResponse 3\nWe concur with the recommendation and the ARRTS Contingency Plan is being rewritten into\nthe updated template provided by the OCIO. The primary Contingency Plan will be the plan for\nthe LAN/WAN GSS and the Contingency Plan for ARRTS will address contacts and actions that\nwill be needed specifically for ARRTS in the event of a situation.\n\nContingency Plan Testing\n\nRecommendation 4\nWe recommend that the Owners of ARRTS implement a process for annually reviewing the\nContingency Plan.\n\nResponse 4\nWe concur with the recommendation and will implement a plan to annually review the ARRTS\ncontingency plan. A plan is currently underway to conduct a table top exercise designed to\nreview and test the Contingency Plan.\n\nRecommendation 5\nWe recommend that the Owners of ARRTS test the system\xe2\x80\x99s contingency plan on an annual\nbasis.\n\nResponse 5\nWe concur with the recommendation and the OCIO and the three ARRTS stakeholders will\nconduct an annual test of the ARRTS Contingency Plan.\n\x0cPlan of Action and Milestones (POA&Ms) Process\n\nRecommendation 6\nWe recommend that the Owners of ARRTS revise the POA&M items currently listed to include\nthe recommendations, rather than just identifying the weaknesses.\n\nResponse 6\nWe concur with the recommendation and will implement the changes to the current POA&M\nitems. As soon as ARRTS is transitioned to the OCIO, the ARRTS stakeholders will coordinate\nwith the OCIO for remediation of the existing POA&Ms, tracking their progress, and adding new\nvulnerabilities as they are identified.\n\nRecommendation 7\nWe recommend that the Owners of ARRTS develop a plan for the immediate remediation of all\noverdue POA&M items.\n\nResponse 7\nWe concur with the recommendation and will review the current POA&M items. As ARRTS is\ntransitioned to the OCIO, the stakeholders will coordinate with the OCIO for the remediation of\nthe existing POA&Ms.\n\nAT-3 Security Training\n\nRecommendation 8\nWe recommend that the Owners of ARRTS identify the individuals with significant information\ntechnology (IT) responsibility for ARRTS that require specialized IT security training.\n\nResponse 8\nWe concur with the recommendation and a list of individuals from the OIG that have significant\nIT responsibility for ARRTS will be compiled and those names will be supplied to the OCIO to\nensure that these individuals receive specialized IT security training annually.\n\nRecommendation 9\nWe recommend that the Owners of ARRTS ensure that all employees with significant\ninformation security responsibility for ARRTS take meaningful and appropriate specialized\nsecurity training on an annual basis.\n\nResponse 9\nWe concur with the recommendation and the OIG will add a POA&M to the OIG LAN\nPOA&Ms that requires the tracking of the annual security training for the all staff that has\nsignificant IT responsibilities. A report pertaining to the staff training will be provided to the\nOCIO.\n\x0cThe Owners of ARRTS\xe2\x80\x99 management of audit logs for ARRTS could be improved\n\nRecommendation 10\nWe recommend that the Owners of ARRTS develop an audit policy that contains a list of events\nthat should be logged for ARRTS at the database and application levels.\n\nResponse 10\nWe concur with the recommendation and the OCIO and the three stakeholders will develop an\naudit policy that contains a list of events that should be logged.\n\nRecommendation 11\nWe recommend that the ARRTS system be modified to generate audit logs in accordance with\naudit policy and in compliance with all applicable NIST 800-53 standards.\n\nResponse 11\nWe concur with the recommendation and ARRTS will be evaluated for the feasibility of\nimplementing system modifications to generate audit logs that are in compliance with NIST 800-\n53 standards.\n\nRecommendation 12\nWe recommend that ARRTS be modified to ensure all audit logs cannot be inappropriately\naccessed, modified, or deleted.\n\nResponse 12\nWe concur with the recommendation and ARRTS will be evaluated for the feasibility of system\nmodifications to ensure that audit logs cannot be inappropriately accessed, modified, or deleted.\n\nRecommendation 13\nWe recommend that the Owners of ARRTS routinely monitor/review audit logs generated by\nARRTS.\n\nResponse 13\nWe concur with the recommendation and procedures will be put in place to ensure that ARRTS\naudit logs are routinely monitored and reviewed.\n\nIA-4 Identifier Management\n\nRecommendation 14\nWe recommend that the Owners of ARRTS disable/delete unnecessary duplicate ARRTS user\naccounts.\n\nResponse 14\nWe concur with the recommendation however, the ARRTS database design requires that the user\nID that the record was stored under be present; removing or disabling any user ID makes any\nrecords that are associated with that user ID irretrievable. Access to the ARRTS system requires\nthat a user first log into the OPM LAN with a valid user ID and password. If an OPM staff\n\x0cmember is terminated, retires, or leaves the agency they no longer have access to the OPM LAN\nand as a result they can no longer access the ARRTS application. If the employee changes jobs\nwithin OPM and no longer requires access to ARRTS, documented procedures will be in place to\nensure that the ARRTS application is removed from that individual\xe2\x80\x99s computer. While there\nmay be a low level risk still associated with outdated user IDs remaining active in ARRTS, we\nbelieve the level of risk is extremely low. This matter will require a Business Case Exception to\nbe developed and approved to accept this risk.\n\nRecommendation 15\nWe recommend that the Owners of ARRTS implement a process to routinely audit all active user\naccounts to ensure that no unnecessary duplicate accounts exist.\n\nResponse 15\nWe concur with the recommendation and will implement a process to routinely review all active\nuser accounts in ARRTS however, the ARRTS database design requires that the user ID that the\nrecord was stored under be present; removing or disabling any user ID makes any records that\nare associated with that user ID irretrievable. Access to the ARRTS system requires that a user\nfirst log into the OPM LAN with a valid user ID and password. If an OPM staff member is\nterminated, retires, or leaves the agency they no longer have access to the OPM LAN and as a\nresult they can no longer access the ARRTS application. If the employee changes jobs within\nOPM and no longer requires access to ARRTS, documented procedures will be in place to ensure\nthat the ARRTS application is removed from that individual\xe2\x80\x99s computer. While there may be a\nlow level risk still associated with outdated user IDs remaining active in ARRTS, we believe the\nlevel of risk is extremely low. This matter will require a Business Case Exception to be\ndeveloped and approved to accept this risk.\n\nPS-4 Personnel Termination\n\nRecommendation 16\nWe recommend that the Owners of ARRTS disable active user accounts that belong to\nterminated employees.\n\nResponse 16\nWe concur with the recommendation however, the ARRTS database design requires that the user\nID that the record was stored under be present; removing or disabling any user ID makes any\nrecords that are associated with that user ID irretrievable. Access to the ARRTS system requires\nthat a user first log into the OPM LAN with a valid user ID and password. If an OPM staff\nmember is terminated, retires, or leaves the agency they no longer have access to the OPM LAN\nand as a result they can no longer access the ARRTS application. If the employee changes jobs\nwithin OPM and no longer requires access to ARRTS, documented procedures will be in place to\nensure that the ARRTS application is removed from that individual\xe2\x80\x99s computer. While there\nmay be a low level risk still associated with outdated user IDs remaining active in ARRTS, we\nbelieve the level of risk is extremely low. This matter will require a Business Case Exception to\nbe developed and approved to accept this risk.\n\x0cRecommendation 17\nWe recommend that the Owners of ARRTS periodically audit active ARRTS user accounts to\nverify that accounts do not remain open for individuals no longer employed at OPM and that the\nlevel of access granted remains appropriate.\n\nResponse 17\nWe concur with the recommendation and will implement procedures requiring periodic audits of\nactive ARRTS user accounts however, the ARRTS database design requires that the user ID that\nthe record was stored under be present; removing or disabling any user ID makes any records\nthat are associated with that user ID irretrievable. Access to the ARRTS system requires that a\nuser first log into the OPM LAN with a valid user ID and password. If an OPM staff member is\nterminated, retires, or leaves the agency they no longer have access to the OPM LAN and as a\nresult they can no longer access the ARRTS application. If the employee changes jobs within\nOPM and no longer requires access to ARRTS, documented procedures will be in place to ensure\nthat the ARRTS application is removed from that individual\xe2\x80\x99s computer. While there may be a\nlow level risk still associated with outdated user IDs remaining active in ARRTS, we believe the\nlevel of risk is extremely low. This matter will require a Business Case Exception to be\ndeveloped and approved to accept this risk.\n\nPS-5 Personnel Transfer\n\nRecommendation 18\nWe recommend that the Owners of ARRTS disable/delete unnecessary user IDs for users who no\nlonger have a business reason to have access to ARRTS.\n\nResponse 18\nWe concur with the recommendation however, the ARRTS database design requires that the user\nID that the record was stored under be present; removing or disabling any user ID makes any\nrecords that are associated with that user ID irretrievable. Access to the ARRTS system requires\nthat a user first log into the OPM LAN with a valid user ID and password. If an OPM staff\nmember is terminated, retires, or leaves the agency they no longer have access to the OPM LAN\nand as a result they can no longer access the ARRTS application. If the employee changes jobs\nwithin OPM and no longer requires access to ARRTS, documented procedures will be in place to\nensure that the ARRTS application is removed from that individual\xe2\x80\x99s computer. While there\nmay be a low level risk still associated with outdated user IDs remaining active in ARRTS, we\nbelieve the level of risk is extremely low. This matter will require a Business Case Exception to\nbe developed and approved to accept this risk.\n\nPS-6 Access Agreements\n\nRecommendation 19\nWe recommend that the Owners of ARRTS develop a Rules of Behavior/Acceptable Use\nStatement for ARRTS and ensure it is signed by all users.\n\x0cResponse 19\nWe concur with the recommendation and the OIG will implement a Rules of\nBehavior/Acceptable Use document specifically for ARRTS to be signed by all current and\nfuture ARRTS users.\n\nRA-5 Vulnerability Scanning\n\nRecommendation 20\nWe recommend that the Owners of ARRTS ensure that routine vulnerability scans are conducted\non the system.\n\nResponse 20\nWe concur with the recommendation and as soon as ARRTS is transitioned to the OCIO\xe2\x80\x99s\nLAN/WAN GSS, the OCIO plans to do routine vulnerability scans.\n\nCM-6 Configuration Settings\n\nRecommendations 21\nWe recommend that the database supporting ARRTS be configured in a manner that is compliant\nwith OPM\xe2\x80\x99s policies.\n\nResponse 21\nWe concur with the recommendation and will coordinate with the OCIO to ensure that the\ndatabase and server is configured in a manner that is compliant with OPM\xe2\x80\x99s policies.\n\nRecommendation 22\nWe recommend that the server supporting ARRTS be configured in a manner that is compliant\nwith OPM\xe2\x80\x99s policies.\n\nResponse 22\nWe concur with the recommendation will coordinate with the OCIO to ensure that ARRTS is\ncompliant with OPM policies.\n\nClassification of ARRTS as a Minor Application\n\nRecommendation 23\nWe recommend that the Owners of ARRTS work with the OCIO to reclassify ARRTS as a minor\napplication within the LAN/WAN general support system.\n\nResponse 23\nWe concur with the recommendation and a Memorandum of Understanding is being developed\nin anticipation of the downgrade of ARRTS to a minor application system and the transition of\nARRTS to the OPM LAN/WAN GSS.\n\x0cRecommendation 24\nWe recommend that the OCIO update the LAN/WAN Information System Security Plan (ISSP)\nto reflect ARRTS as a minor application.\n\nResponse 24\nWe concur with the recommendation and we are currently working with the OCIO to downgrade\nARRTS to a minor application. We will work closely with the OCIO to ensure that the\nLAN/WAN ISSP is updated to reflect ARRTS as a minor application.\n\nIf you need any additional information or have any questions to our response to your draft audit\nreport, please contact              at (             , or                , of my staff, at\n\n\ncc:\n       Chief, Trust Funds\n       Office of the Chief Financial Officer\n\n\n       Chief, Audit Resolution\n       Healthcare and Insurance Office\n\n\n       Chief, Client Server Branch\n       Office of the Chief Information Officer\n\n       Terri Fazio\n       Assistant IG for Management\n       Office of the Inspector General\n\n\n       Senior Agency Information Security Officer\n       Office of the Chief Information Officer\n\n\n       Deputy Director\n       Internal Oversight and Compliance\n\x0c'